Azure built-in roles for Hybrid + multicloud
This article lists the Azure built-in roles in the Hybrid + multicloud category.
Azure Resource Bridge Deployment Role
Azure Resource Bridge Deployment Role
Actions | Description |
---|---|
Microsoft.Authorization/roleassignments/read | Get information about a role assignment. |
Microsoft.AzureStackHCI/Register/Action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. |
Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. |
Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource |
Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource |
Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource |
Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation |
Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation |
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential |
Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys |
Microsoft.ResourceConnector/appliances/upgradeGraphs/read | Gets the upgrade graph of Appliance cluster |
Microsoft.ResourceConnector/telemetryconfig/read | Get Appliances telemetry config utilized by Appliances CLI |
Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances |
Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. |
Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource |
Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource |
Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource |
Microsoft.HybridConnectivity/register/action | Register the subscription for Microsoft.HybridConnectivity |
Microsoft.Kubernetes/register/action | Registers Subscription with Microsoft.Kubernetes resource provider |
Microsoft.KubernetesConfiguration/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. |
Microsoft.KubernetesConfiguration/extensions/write | Creates or updates extension resource. |
Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource. |
Microsoft.KubernetesConfiguration/extensions/delete | Deletes extension instance resource. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Gets Async Operation status. |
Microsoft.KubernetesConfiguration/namespaces/read | Get Namespace Resource |
Microsoft.KubernetesConfiguration/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. |
Microsoft.GuestConfiguration/guestConfigurationAssignments/read | Get guest configuration assignment. |
Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService |
Microsoft.HybridContainerService/kubernetesVersions/read | Lists the supported kubernetes versions from the underlying custom location |
Microsoft.HybridContainerService/kubernetesVersions/write | Puts the kubernetes version resource type |
Microsoft.HybridContainerService/skus/read | Lists the supported VM SKUs from the underlying custom location |
Microsoft.HybridContainerService/skus/write | Puts the VM SKUs resource type |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.AzureStackHCI/StorageContainers/Write | Creates/Updates storage containers resource |
Microsoft.AzureStackHCI/StorageContainers/Read | Gets/Lists storage containers resource |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Azure Resource Bridge Deployment Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",
"name": "7b1f81f9-4196-4058-8aae-762e593270df",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleassignments/read",
"Microsoft.AzureStackHCI/Register/Action",
"Microsoft.ResourceConnector/register/action",
"Microsoft.ResourceConnector/appliances/read",
"Microsoft.ResourceConnector/appliances/write",
"Microsoft.ResourceConnector/appliances/delete",
"Microsoft.ResourceConnector/locations/operationresults/read",
"Microsoft.ResourceConnector/locations/operationsstatus/read",
"Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
"Microsoft.ResourceConnector/appliances/listKeys/action",
"Microsoft.ResourceConnector/appliances/upgradeGraphs/read",
"Microsoft.ResourceConnector/telemetryconfig/read",
"Microsoft.ResourceConnector/operations/read",
"Microsoft.ExtendedLocation/register/action",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.ExtendedLocation/customLocations/write",
"Microsoft.ExtendedLocation/customLocations/delete",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.Kubernetes/register/action",
"Microsoft.KubernetesConfiguration/register/action",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.KubernetesConfiguration/namespaces/read",
"Microsoft.KubernetesConfiguration/operations/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
"Microsoft.HybridContainerService/register/action",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.AzureStackHCI/StorageContainers/Write",
"Microsoft.AzureStackHCI/StorageContainers/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Resource Bridge Deployment Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack HCI Administrator
Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader
Actions | Description |
---|---|
Microsoft.AzureStackHCI/register/action | Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources. |
Microsoft.AzureStackHCI/Unregister/Action | Unregisters the subscription for the Azure Stack HCI resource provider. |
Microsoft.AzureStackHCI/clusters/* | |
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read | Gets/Lists a network security group resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read | Gets/Lists security rule resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/Write | Creates/Updates a network security group resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write | Creates/Updates security rule resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete | Deletes a network security group resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete | Deletes a security rule resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action | Joins network security group resource |
Microsoft.HybridCompute/register/action | Registers the subscription for the Microsoft.HybridCompute Resource Provider |
Microsoft.GuestConfiguration/register/action | Registers the subscription for the Microsoft.GuestConfiguration resource provider. |
Microsoft.GuestConfiguration/guestConfigurationAssignments/read | Get guest configuration assignment. |
Microsoft.Resources/subscriptions/resourceGroups/write | Creates or updates a resource group. |
Microsoft.Resources/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. |
Microsoft.HybridConnectivity/register/action | Register the subscription for Microsoft.HybridConnectivity |
Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Resources/deployments/* | Create and manage a deployment |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
Microsoft.Management/managementGroups/read | List management groups for the authenticated user. |
Microsoft.AzureStackHCI/* | |
Microsoft.Insights/AlertRules/Write | Create or update a classic metric alert |
Microsoft.Insights/AlertRules/Delete | Delete a classic metric alert |
Microsoft.Insights/AlertRules/Read | Read a classic metric alert |
Microsoft.Insights/AlertRules/Activated/Action | Classic metric alert activated |
Microsoft.Insights/AlertRules/Resolved/Action | Classic metric alert resolved |
Microsoft.Insights/AlertRules/Throttled/Action | Classic metric alert rule throttled |
Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident |
Microsoft.Resources/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines |
Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines |
Microsoft.HybridCompute/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines |
Microsoft.HybridCompute/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches |
Microsoft.HybridCompute/machines/installPatches/action | Installs patches on any Azure Arc machines |
Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
Microsoft.HybridCompute/machines/extensions/write | Installs or Updates an Azure Arc extensions |
Microsoft.HybridCompute/machines/extensions/delete | Deletes an Azure Arc extensions |
Microsoft.HybridCompute/operations/read | Read all Operations for Azure Arc for Servers |
Microsoft.HybridCompute/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |
Microsoft.HybridCompute/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |
Microsoft.HybridCompute/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults |
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches |
Microsoft.HybridCompute/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults |
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches |
Microsoft.HybridCompute/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines |
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata |
Microsoft.HybridCompute/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available |
Microsoft.HybridCompute/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version |
Microsoft.HybridCompute/machines/runcommands/read | Reads any Azure Arc runcommands |
Microsoft.HybridCompute/machines/runcommands/write | Installs or Updates an Azure Arc runcommands |
Microsoft.HybridCompute/machines/runcommands/delete | Deletes an Azure Arc runcommands |
Microsoft.HybridCompute/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |
Microsoft.HybridCompute/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles |
Microsoft.HybridCompute/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles |
Microsoft.HybridCompute/licenses/read | Reads any Azure Arc licenses |
Microsoft.HybridCompute/licenses/write | Installs or Updates an Azure Arc licenses |
Microsoft.HybridCompute/licenses/delete | Deletes an Azure Arc licenses |
Microsoft.ResourceConnector/register/action | Registers the subscription for Appliances resource provider and enables the creation of Appliance. |
Microsoft.ResourceConnector/appliances/read | Gets an Appliance resource |
Microsoft.ResourceConnector/appliances/write | Creates or Updates Appliance resource |
Microsoft.ResourceConnector/appliances/delete | Deletes Appliance resource |
Microsoft.ResourceConnector/locations/operationresults/read | Get result of Appliance operation |
Microsoft.ResourceConnector/locations/operationsstatus/read | Get result of Appliance operation |
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action | Get an appliance cluster user credential |
Microsoft.ResourceConnector/appliances/listKeys/action | Get an appliance cluster customer user keys |
Microsoft.ResourceConnector/operations/read | Gets list of Available Operations for Appliances |
Microsoft.ExtendedLocation/register/action | Registers the subscription for Custom Location resource provider and enables the creation of Custom Location. |
Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource |
Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
Microsoft.ExtendedLocation/customLocations/write | Creates or Updates Custom Location resource |
Microsoft.ExtendedLocation/customLocations/delete | Deletes Custom Location resource |
Microsoft.EdgeMarketplace/offers/read | Get a Offer |
Microsoft.EdgeMarketplace/publishers/read | Get a Publisher |
Microsoft.Kubernetes/register/action | Registers Subscription with Microsoft.Kubernetes resource provider |
Microsoft.KubernetesConfiguration/register/action | Registers subscription to Microsoft.KubernetesConfiguration resource provider. |
Microsoft.KubernetesConfiguration/extensions/write | Creates or updates extension resource. |
Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource. |
Microsoft.KubernetesConfiguration/extensions/delete | Deletes extension instance resource. |
Microsoft.KubernetesConfiguration/extensions/operations/read | Gets Async Operation status. |
Microsoft.KubernetesConfiguration/namespaces/read | Get Namespace Resource |
Microsoft.KubernetesConfiguration/operations/read | Gets available operations of the Microsoft.KubernetesConfiguration resource provider. |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.AzureStackHCI/StorageContainers/Write | Creates/Updates storage containers resource |
Microsoft.AzureStackHCI/StorageContainers/Read | Gets/Lists storage containers resource |
Microsoft.HybridContainerService/register/action | Register the subscription for Microsoft.HybridContainerService |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condition | |
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles: Azure Connected Machine Resource Manager Azure Connected Machine Resource Administrator Azure Connected Machine Onboarding Azure Stack HCI VM Reader Azure Stack HCI VM Contributor Azure Stack HCI Device Management Role Azure Resource Bridge Deployment Role Key Vault Secrets User |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
"name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",
"permissions": [
{
"actions": [
"Microsoft.AzureStackHCI/register/action",
"Microsoft.AzureStackHCI/Unregister/Action",
"Microsoft.AzureStackHCI/clusters/*",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/Write",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action",
"Microsoft.HybridCompute/register/action",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.AzureStackHCI/*",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/assessPatches/action",
"Microsoft.HybridCompute/machines/installPatches/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
"Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
"Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
"Microsoft.HybridCompute/osType/agentVersions/read",
"Microsoft.HybridCompute/osType/agentVersions/latest/read",
"Microsoft.HybridCompute/machines/runcommands/read",
"Microsoft.HybridCompute/machines/runcommands/write",
"Microsoft.HybridCompute/machines/runcommands/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/licenses/write",
"Microsoft.HybridCompute/licenses/delete",
"Microsoft.ResourceConnector/register/action",
"Microsoft.ResourceConnector/appliances/read",
"Microsoft.ResourceConnector/appliances/write",
"Microsoft.ResourceConnector/appliances/delete",
"Microsoft.ResourceConnector/locations/operationresults/read",
"Microsoft.ResourceConnector/locations/operationsstatus/read",
"Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
"Microsoft.ResourceConnector/appliances/listKeys/action",
"Microsoft.ResourceConnector/operations/read",
"Microsoft.ExtendedLocation/register/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/write",
"Microsoft.ExtendedLocation/customLocations/delete",
"Microsoft.EdgeMarketplace/offers/read",
"Microsoft.EdgeMarketplace/publishers/read",
"Microsoft.Kubernetes/register/action",
"Microsoft.KubernetesConfiguration/register/action",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.KubernetesConfiguration/namespaces/read",
"Microsoft.KubernetesConfiguration/operations/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.AzureStackHCI/StorageContainers/Write",
"Microsoft.AzureStackHCI/StorageContainers/Read",
"Microsoft.HybridContainerService/register/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"
}
],
"roleName": "Azure Stack HCI Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack HCI Device Management Role
Microsoft.AzureStackHCI Device Management Role
Actions | Description |
---|---|
Microsoft.AzureStackHCI/Clusters/* | |
Microsoft.AzureStackHCI/EdgeDevices/* | |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureStackHCI Device Management Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
"name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
"permissions": [
{
"actions": [
"Microsoft.AzureStackHCI/Clusters/*",
"Microsoft.AzureStackHCI/EdgeDevices/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack HCI Device Management Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack HCI VM Contributor
Grants permissions to perform all VM actions
Actions | Description |
---|---|
Microsoft.AzureStackHCI/VirtualMachines/* | |
Microsoft.AzureStackHCI/virtualMachineInstances/* | |
Microsoft.AzureStackHCI/NetworkInterfaces/* | |
Microsoft.AzureStackHCI/VirtualHardDisks/* | |
Microsoft.AzureStackHCI/VirtualNetworks/Read | Gets/Lists virtual networks resource |
Microsoft.AzureStackHCI/VirtualNetworks/join/action | Joins virtual networks resource |
Microsoft.AzureStackHCI/LogicalNetworks/Read | Gets/Lists logical networks resource |
Microsoft.AzureStackHCI/LogicalNetworks/join/action | Joins logical networks resource |
Microsoft.AzureStackHCI/GalleryImages/Read | Gets/Lists gallery images resource |
Microsoft.AzureStackHCI/GalleryImages/deploy/action | Deploys gallery images resource |
Microsoft.AzureStackHCI/StorageContainers/Read | Gets/Lists storage containers resource |
Microsoft.AzureStackHCI/StorageContainers/deploy/action | Deploys storage containers resource |
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource |
Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action | Deploys market place gallery images resource |
Microsoft.AzureStackHCI/Clusters/Read | Gets clusters |
Microsoft.AzureStackHCI/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster |
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read | Gets/Lists a network security group resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read | Gets/Lists security rule resource |
Microsoft.Insights/AlertRules/Write | Create or update a classic metric alert |
Microsoft.Insights/AlertRules/Delete | Delete a classic metric alert |
Microsoft.Insights/AlertRules/Read | Read a classic metric alert |
Microsoft.Insights/AlertRules/Activated/Action | Classic metric alert activated |
Microsoft.Insights/AlertRules/Resolved/Action | Classic metric alert resolved |
Microsoft.Insights/AlertRules/Throttled/Action | Classic metric alert rule throttled |
Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident |
Microsoft.Resources/deployments/read | Gets or lists deployments. |
Microsoft.Resources/deployments/write | Creates or updates an deployment. |
Microsoft.Resources/deployments/delete | Deletes a deployment. |
Microsoft.Resources/deployments/cancel/action | Cancels a deployment. |
Microsoft.Resources/deployments/validate/action | Validates an deployment. |
Microsoft.Resources/deployments/whatIf/action | Predicts template deployment changes. |
Microsoft.Resources/deployments/exportTemplate/action | Export template for a deployment |
Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/write | Creates or updates an deployment. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines |
Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines |
Microsoft.HybridCompute/machines/UpgradeExtensions/action | Upgrades Extensions on Azure Arc machines |
Microsoft.HybridCompute/machines/assessPatches/action | Assesses any Azure Arc machines to get missing software patches |
Microsoft.HybridCompute/machines/installPatches/action | Installs patches on any Azure Arc machines |
Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
Microsoft.HybridCompute/machines/extensions/write | Installs or Updates an Azure Arc extensions |
Microsoft.HybridCompute/machines/extensions/delete | Deletes an Azure Arc extensions |
Microsoft.HybridCompute/operations/read | Read all Operations for Azure Arc for Servers |
Microsoft.HybridCompute/locations/operationresults/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |
Microsoft.HybridCompute/locations/operationstatus/read | Reads the status of an operation on Microsoft.HybridCompute Resource Provider |
Microsoft.HybridCompute/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults |
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches |
Microsoft.HybridCompute/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults |
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches |
Microsoft.HybridCompute/locations/updateCenterOperationResults/read | Reads the status of an update center operation on machines |
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read | Read any Azure Arc machines's Hybrid Identity Metadata |
Microsoft.HybridCompute/osType/agentVersions/read | Read all Azure Connected Machine Agent versions available |
Microsoft.HybridCompute/osType/agentVersions/latest/read | Read the latest Azure Connected Machine Agent version |
Microsoft.HybridCompute/machines/runcommands/read | Reads any Azure Arc runcommands |
Microsoft.HybridCompute/machines/runcommands/write | Installs or Updates an Azure Arc runcommands |
Microsoft.HybridCompute/machines/runcommands/delete | Deletes an Azure Arc runcommands |
Microsoft.HybridCompute/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |
Microsoft.HybridCompute/machines/licenseProfiles/write | Installs or Updates an Azure Arc licenseProfiles |
Microsoft.HybridCompute/machines/licenseProfiles/delete | Deletes an Azure Arc licenseProfiles |
Microsoft.HybridCompute/licenses/read | Reads any Azure Arc licenses |
Microsoft.HybridCompute/licenses/write | Installs or Updates an Azure Arc licenses |
Microsoft.HybridCompute/licenses/delete | Deletes an Azure Arc licenses |
Microsoft.ExtendedLocation/customLocations/Read | Gets an Custom Location resource |
Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants permissions to perform all VM actions",
"id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",
"name": "874d1c73-6003-4e60-a13a-cb31ea190a85",
"permissions": [
{
"actions": [
"Microsoft.AzureStackHCI/VirtualMachines/*",
"Microsoft.AzureStackHCI/virtualMachineInstances/*",
"Microsoft.AzureStackHCI/NetworkInterfaces/*",
"Microsoft.AzureStackHCI/VirtualHardDisks/*",
"Microsoft.AzureStackHCI/VirtualNetworks/Read",
"Microsoft.AzureStackHCI/VirtualNetworks/join/action",
"Microsoft.AzureStackHCI/LogicalNetworks/Read",
"Microsoft.AzureStackHCI/LogicalNetworks/join/action",
"Microsoft.AzureStackHCI/GalleryImages/Read",
"Microsoft.AzureStackHCI/GalleryImages/deploy/action",
"Microsoft.AzureStackHCI/StorageContainers/Read",
"Microsoft.AzureStackHCI/StorageContainers/deploy/action",
"Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
"Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",
"Microsoft.AzureStackHCI/Clusters/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/assessPatches/action",
"Microsoft.HybridCompute/machines/installPatches/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
"Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
"Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
"Microsoft.HybridCompute/osType/agentVersions/read",
"Microsoft.HybridCompute/osType/agentVersions/latest/read",
"Microsoft.HybridCompute/machines/runcommands/read",
"Microsoft.HybridCompute/machines/runcommands/write",
"Microsoft.HybridCompute/machines/runcommands/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/licenses/write",
"Microsoft.HybridCompute/licenses/delete",
"Microsoft.ExtendedLocation/customLocations/Read",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.KubernetesConfiguration/extensions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack HCI VM Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack HCI VM Reader
Grants permissions to view VMs
Actions | Description |
---|---|
Microsoft.AzureStackHCI/VirtualMachines/Read | Gets/Lists virtual machine resource |
Microsoft.AzureStackHCI/virtualMachineInstances/Read | Gets/Lists virtual machine instance resource |
Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read | Gets/Lists virtual machine extensions resource |
Microsoft.AzureStackHCI/VirtualNetworks/Read | Gets/Lists virtual networks resource |
Microsoft.AzureStackHCI/LogicalNetworks/Read | Gets/Lists logical networks resource |
Microsoft.AzureStackHCI/NetworkInterfaces/Read | Gets/Lists network interfaces resource |
Microsoft.AzureStackHCI/VirtualHardDisks/Read | Gets/Lists virtual hard disk resource |
Microsoft.AzureStackHCI/StorageContainers/Read | Gets/Lists storage containers resource |
Microsoft.AzureStackHCI/GalleryImages/Read | Gets/Lists gallery images resource |
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read | Gets/Lists market place gallery images resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read | Gets/Lists a network security group resource |
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read | Gets/Lists security rule resource |
Microsoft.HybridCompute/licenses/read | Reads any Azure Arc licenses |
Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
Microsoft.HybridCompute/machines/licenseProfiles/read | Reads any Azure Arc licenseProfiles |
Microsoft.HybridCompute/machines/patchAssessmentResults/read | Reads any Azure Arc patchAssessmentResults |
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | Reads any Azure Arc patchAssessmentResults/softwarePatches |
Microsoft.HybridCompute/machines/patchInstallationResults/read | Reads any Azure Arc patchInstallationResults |
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | Reads any Azure Arc patchInstallationResults/softwarePatches |
Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read | Reads any Azure Arc networkSecurityPerimeterConfigurations |
Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read | Read any Azure Arc privateEndpointConnections |
Microsoft.HybridCompute/privateLinkScopes/read | Read any Azure Arc privateLinkScopes |
Microsoft.Insights/AlertRules/Write | Create or update a classic metric alert |
Microsoft.Insights/AlertRules/Delete | Delete a classic metric alert |
Microsoft.Insights/AlertRules/Read | Read a classic metric alert |
Microsoft.Insights/AlertRules/Activated/Action | Classic metric alert activated |
Microsoft.Insights/AlertRules/Resolved/Action | Classic metric alert resolved |
Microsoft.Insights/AlertRules/Throttled/Action | Classic metric alert rule throttled |
Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident |
Microsoft.Resources/deployments/read | Gets or lists deployments. |
Microsoft.Resources/deployments/exportTemplate/action | Export template for a deployment |
Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/read | Gets or lists deployments. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | Gets or lists deployment operations. |
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
Microsoft.Authorization/*/read | Read roles and role assignments |
Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Grants permissions to view VMs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
"name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
"permissions": [
{
"actions": [
"Microsoft.AzureStackHCI/VirtualMachines/Read",
"Microsoft.AzureStackHCI/virtualMachineInstances/Read",
"Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",
"Microsoft.AzureStackHCI/VirtualNetworks/Read",
"Microsoft.AzureStackHCI/LogicalNetworks/Read",
"Microsoft.AzureStackHCI/NetworkInterfaces/Read",
"Microsoft.AzureStackHCI/VirtualHardDisks/Read",
"Microsoft.AzureStackHCI/StorageContainers/Read",
"Microsoft.AzureStackHCI/GalleryImages/Read",
"Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
"Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read",
"Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read",
"Microsoft.HybridCompute/privateLinkScopes/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack HCI VM Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack Registration Owner
Lets you manage Azure Stack registrations.
Actions | Description |
---|---|
Microsoft.AzureStack/edgeSubscriptions/read | |
Microsoft.AzureStack/registrations/products/*/action | |
Microsoft.AzureStack/registrations/products/read | Gets the properties of an Azure Stack Marketplace product |
Microsoft.AzureStack/registrations/read | Gets the properties of an Azure Stack registration |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Stack registrations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"permissions": [
{
"actions": [
"Microsoft.AzureStack/edgeSubscriptions/read",
"Microsoft.AzureStack/registrations/products/*/action",
"Microsoft.AzureStack/registrations/products/read",
"Microsoft.AzureStack/registrations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack Registration Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}